Solace Blog

Cyber resilience is not just for ICT teams

By Stephen Baker, Chief Executive at Suffolk Coastal and Waveney Councils and Solace Spokesperson on Civil Resilience and Community Safety

OK colleagues, I need a favour, but more of that later…

I recently attended the LG Cyber Summit, an event jointly arranged by Central and Local Government, to consider the issue of cyber security from a Local Government perspective. This was an important event as it not only heralded another step forward in the way that sectors and agencies are working together on this issue, but it also highlighted the threats that exist within the digital /cyber world, and how these need to be addressed.

As a speaker at the event I was asked to consider the challenge of local leadership, and how it supports a response to the threat of a cyber attack. My first thought was whether, as local leaders, we recognise the risk at all? There is a perception that the threat only applies to national and multi-national organisations - the ones with wealth, the ones with profile. Yet nothing could be further from the truth. Our organisations, our councils, are also very much a target for those who could disrupt our business. I choose my words carefully here because the motivation of those that want to penetrate our systems are varied and complex. Certainly there are those that may wish to seek financial gain, but there are also those that simply want to prove a point, demonstrating that a system is not as secure as claimed. And there are those who may not even start out intending to access a system illegally, but end up doing so simply because they can, and it gives them a thrill to do so. The teenager hunkered down in their room will have no concept of the damage or disruption that they have caused by hacking into a council system, but it was there, and it was a challenge, and they were curious, and so they did it.

I suspect that we also struggle to assimilate the risk of a cyber attack with other risks to our business continuity. Risks such as those from fire or flood, or from a loss of staff due to pandemic illness, are easily understood and quantifiable.We are able to respond to such risks, add them to the register, and have contingency plans in place, because they are more ‘visible’. However, a cyber attack is much more difficult to quantify; How would it happen? What would the effect be. Which systems would be affected? This latter point is particularly relevant to us given the number and complexity of systems that we operate. The complexity is a real challenge as it prompts us to put the issue on the “needs more time to consider” pile (the one next to the “too difficult to do” pile). As a result, there is a temptation to ‘over rationalise’ the risk. We ask ourselves whether it is really likely to happen, then we are distracted, and we move on to another priority that is more pressing.

However, the effect of a cyber attack would be far reaching and extremely damaging, not only in financial terms, but also in terms of reputation and confidence. This calls into question how we respond, as an effective response could limit this damage. We are all digitising processes and services and becoming more reliant on providing online services than ever before. The faith our customers and users have in those services could be fundamentally fractured if we suffer a cyber attack, and worse still if we respond to it slowly and ineffectively. Some have observed that the damage caused to confidence and reputation, by a successful cyber attack, is the biggest risk of all.

The leadership role is a critical one. I suggest this must be led ‘from the top’. This cannot be left to the ICT Team to address. As Chief Executives and senior managers we must be aware of this risk and establish the right mechanisms and culture to protect ourselves as much as we can from this unknown and unquantifiable threat. If you haven’t asked ICT lately how often your systems are ‘attacked’ then go and ask. I think you’ll be surprised by the response. Don’t get me wrong, I’m not being alarmist about this, just realistic. We need to understand the risk, and the potential damage, that’s all.

So, back to that favour I wanted to ask. It’s simple. At the end of your next management team meeting allow 15-20 minutes on the agenda to pause and then make the following statement to your colleagues:

“I have just been informed that our IT systems have been hacked. All our screens are displaying the same scrolling message. We have no email or financial systems. Apart from a few isolated non-network systems, nothing is working because everything has been shut down as a precautionary measure. We cannot communicate, we cannot pay bills, we cannot process benefits or collect income. What do we do now? Oh, and the Leader is on the phone to IT asking why his email has gone down …”